A Java SE flaw Oracle reported as patched in 2013 can be easily bypassed today, security researchers have found, which means that millions of Java users have been vulnerable to this flaw for about three years.

Adam Gowdiak, CEO and founder of Poland-based Security Explorations, disclosed information about the broken fix at the 2016 JavaLand conference in Bruhl, Germany, and posted an exploit on the Full Disclosure mailing list.

Security Explorations originally found the flaw (CVE-2013-5838) and reported a vulnerability that made it possible to implement a class spoofing attack against the JVM back in July 2013. Oracle reported the following September that the vulnerability had been addressed by a backported implementation from JDK 8 of the affected component in JDK 7 Update 40.

However, Security Explorations showed how the fix can be trivially bypassed by making a four-character change to the proof-of-concept exploit code.

"We implemented a Proof of Concept code that illustrates the impact of the broken fix described above," the researchers wrote in a report. "It has been successfully tested in the environment of Java SE Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. In all cases, a complete Java security sandbox escape could be achieved."

Gowdiak also wrote that Oracle "improperly evaluated the impact" of this vulnerability, claiming that it could "be exploited only through sandboxed Java Web Start applications and sandboxed Java applets."

"This is not true," Gowdiak wrote. "We verified that it could be successfully exploited in a server environment as well such as Google App Engine for Java."

Fortunately, the exploit code doesn't bypass Oracle's click-to-play browser feature that blocks Java content by default. Introduced in 2014, the feature presents a Web page as a blank space until the user clicks the box to enable the content. This seems to have mitigated the vulnerability of Java in the browser, which was largely the result of the way Oracle has bundled the Java browser extension with the Java runtime environment (JRE).

Security researchers typically give the vendor a heads up before reporting a flaw, so they can report that it has been fixed and that vulnerability doesn't become a bullseye for malicious hackers. But the company no longer tolerates broken fixes, and reports them without prior notice.

"The vendor that gets the questionable honor to be the first to experience our modified Disclosure Policy is Oracle," Gowdiak wrote.